HTML/Phish.EQ

[joker31]

I have a problem that started yesterday. My
System Mechanic anti virus started catching
HTML/Phish.EQ. I get it with IE, EDGE, Google
but not with Google Chrome whenever I
select a sign on screen. I tried to follow the
path that my anti virus says it is on but I cannot
follow it to the end. Does anyone know
how I can get rid of this permanently?

 

[Tim Locke]

Sounds like the sort of thing that MalwareBytes will find or the Microsoft Malicious software removal tool ( mrt.exe)

You could post the path that leads to this thing.

 

[joker31]

Sounds like the sort of thing that MalwareBytes will find or the Microsoft Malicious software removal tool ( mrt.exe)

You could post the path that leads to this thing.

c:\users\joe'spc\appdata\local\microsoft\windows\inetcache\low\ie.ip7881zu\servicelogin[1].htm

 

[joker31]

I ran malwarebytes and MRT.exe. Neither of them showed any infections. Also the path changes depending which browser I am using.

 

[Trouble]

Try these four
JRT (Junkware Removal Tool) from here http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/
ADWcleaner from here http://www.bleepingcomputer.com/download/adwcleaner/dl/125/
RogueKiller from here http://www.bleepingcomputer.com/download/roguekiller/
Norton Power Eraser from here https://security.symantec.com/nbrt/npe.aspx
In that order and then finish up by running
ESET Online Scanner from here http://www.eset.com/us/online-scanner/

Eset online scanner is a bit different than the others in that you need to either use
IE or download and run their smart installer if you're using another browser. Then tick
the radio button that says "Enable detection of potentiall unwanted application"
Then click the link that says "Advanced settings", then check all the boxes except the
one that mentions "Use custom proxy settings", unless of course you're using a Proxy
Server. Then just click "Start", it will do a thorough system scan so it takes a long
time.

 

[Emiki]

I have a problem that started yesterday. My
System Mechanic anti virus started catching
HTML/Phish.EQ. I get it with IE, EDGE, Google
but not with Google Chrome whenever I
select a sign on screen. I tried to follow the
path that my anti virus says it is on but I cannot
follow it to the end. Does anyone know
how I can get rid of this permanently?

I too just started having this issue. Fortunately (and unfortunately) System Mechanic stops this HTML/Phish.EQ (Password Stealer) before it infects the computer so when full scans are done, it does not show up as being infected.

 

[Emiki]

Try these four
JRT (Junkware Removal Tool) from here http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/
ADWcleaner from here http://www.bleepingcomputer.com/download/adwcleaner/dl/125/
RogueKiller from here http://www.bleepingcomputer.com/download/roguekiller/
Norton Power Eraser from here https://security.symantec.com/nbrt/npe.aspx
In that order and then finish up by running
ESET Online Scanner from here http://www.eset.com/us/online-scanner/

Well, I did all you suggested except for the ESET Online Scanner. Unfortunately, I can't purchase that program at this time and that site does not offer a free scan like the others.

As for the HTML/Phish.EQ infection, it still attempts to install but lucky for me (I guess) System Mechanic Professional (Real-Time protection) seems to grab it and quarantine it the moment I go to google gmail.com website and before I enter my information to log in and check my emails. I don't use Chrome because I really don't care for Google products other than their email part and only because I've been using them for almost 14 years. I hate the thought of having to establish a new online email address with someone else as I do not use the mail service provided by my internet service provider.

Any more ideas about this issue?

 

[Trouble]

Yes it does, it's a free one time scanner
http://www.eset.com/us/online-scanner/
The one on the left that says "SCAN NOW"

 

[Emiki]

Yes it does, it's a free one time scanner
http://www.eset.com/us/online-scanner/
The one on the left that says "SCAN NOW"

View attachment 3117

okay will go try that one .. that's not the webpage I get when clicking on your link. Could that be because I am using Microsoft Edge as my browser?

okay, your link sends me to the webpage for MAC users..LoL. I did get there eventually and am doing the scan now. Will be back afterwards to let you know the outcome. Thank you so much for your help with this.

 

[Trouble]

Could that be because I am using Microsoft Edge as my browser?

Perhaps. Try using IE instead
Start button, all apps, windows accessories, internet explorer
See if that makes a difference.

 

[Emiki]

Perhaps. Try using IE instead
Start button, all apps, windows accessories, internet explorer
See if that makes a difference.

okay, your link sends me to the webpage for MAC users..LoL. I did get there eventually and am doing the scan now. Will be back afterwards to let you know the outcome. Thank you so much for your help with this. I'm thinking of deleting IE since I've gotten use to Microsoft Edge.

 

[joker31]

Try these four
JRT (Junkware Removal Tool) from here http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/
ADWcleaner from here http://www.bleepingcomputer.com/download/adwcleaner/dl/125/
RogueKiller from here http://www.bleepingcomputer.com/download/roguekiller/
Norton Power Eraser from here https://security.symantec.com/nbrt/npe.aspx
In that order and then finish up by running
ESET Online Scanner from here http://www.eset.com/us/online-scanner/

The Junkware Removal Tool did the trick.

Successfully deleted: C:\ProgramData\Start Menu\Programs\search.lnk (Shortcut)
Successfully deleted: C:\WINDOWS\prefetch\PWFREE91.TMP-BCD2FAB9.pf (File)
Successfully deleted: C:\WINDOWS\prefetch\PWFREE91.TMP-C58AB07F.pf (File)

Once they were deleted I am no longer get the error. Thanks!

 

[Trouble]

You're welcome.
Often these things cannot be defeated with one or even two utilities. It often takes a multi-pronged approach and even then it can still be difficult to target.
By the way, JRT is a product produced by Malwarebytes, the same tool you mentioned using earlier. It just uses a different approach to get to the same end.
I use as many as a dozen of such utilities including Combofix, SuperAntiSpyware, Hitman Pro and others and I've found sometimes one will catch something that another misses for some reason.
I always leave Eset Online Scanner for last and if I get a clean bill of health from it, I feel pretty confident that the computer is clean (ignoring of course anything it might find in the other tool's quarantine folders).

 

[Emiki]

You're welcome.
Often these things cannot be defeated with one or even two utilities. It often takes a multi-pronged approach and even then it can still be difficult to target.
By the way, JRT is a product produced by Malwarebytes, the same tool you mentioned using earlier. It just uses a different approach to get to the same end.
I use as many as a dozen of such utilities including Combofix, SuperAntiSpyware, Hitman Pro and others and I've found sometimes one will catch something that another misses for some reason.
I always leave Eset Online Scanner for last and if I get a clean bill of health from it, I feel pretty confident that the computer is clean (ignoring of course anything it might find in the other tool's quarantine folders).

Well, I'm back and for about 5 hours it was gone. I took a nap and when I logged in just now and went to gmail.com to check my emails ... System Mechanic threw up the alert that it blocked and quarantined the Phish.EQ. So now I'm frustrated again .. LoL.

 

[Trouble]

I've found that when reinfection seems to keep happening even after a thorough cleaning, apparently leaving the machine free of malware, that it can sometimes hide in System Restore points and or use Schedule Tasks to recall the malware. These types of infections can be very difficult to get rid of because some scheduled tasks are or can be actually hidden from the normal Task Scheduler viewer.
There are other tools such as Farbar Recovery Scan Tool as well as a couple others that can help with these types of infections but they are not utilities can normally be used without proper instructions from qualified users.
I was just reading about what Microsoft has to say about your infection
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:HTML/Phish.EQ

This threat can steal your personal information, such as your user names and passwords. It sends the stolen information to a malicious hacker.

But not a lot of info as to what to do next, except running a scan with Defender and Microsoft Safety Scanner

 

[Emiki]

I was just reading about what Microsoft has to say about your infection
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:HTML/Phish.EQ

But not a lot of info as to what to do next, except running a scan with Defender and Microsoft Safety Scanner

Okay, I will try that. This is making me crazy. I only go to specific websites that I have been using for years so it has me scratching my head as to why all of a sudden when I go to the google gmail website, I get this problem.

 

[Emiki]

I'm back .. LoL. I ran Defender and Microsoft Safety Scanner and they found nothing. I'm a tad bit afraid to go to the gmail.com website at the moment. Which also means I can't get to my email either. What I am wondering now is if this issue has something to do with System Mechanic Professional by Iolo. Should I get a different antivirus/spyware program? I've used System Mechanic for about 8 years now and they seem pretty much on top of things. But then again, I used to use AVG (for about 8 years too) and a disgruntled ex-employee attached a virus to the updating definitions. What a whirlwind that was.

 

[Emiki]

Well, I still have the problem

 

[Trouble]

Not sure what to tell you, short of involving an expert in this type of matter I'm not sure what else I could suggest.
There are forums that semi-specialize in these things, like Bleeping Computer. They have some excellent folks over there who are definitely experts at beating up on malware.
You might give them a try and see if they can be of more help. I really wish I could help you further but we aren't really that type of forum and have a more broader and general focus and you need some targeted specific help that I simply cannot provide and I would really like to see you get it.

 

[Norton]

If you have Malwarebytes Premium click on support and they will assign a tech to assist you each step of the process. They too run Farbar and JRT also will ask you uninstall and do a clean install of Mambam. Make sure you take note of Mabam's ID key and Identifier for installation.